Over the years, the internet has become a dangerous place. As its popularity has increased, it has attracted more hackers looking to make a quick buck. However, as our dependency on the web grows, it becomes increasingly difficult to sever all ties. This means we have to protect one of our weakest points, the password.
Our passwords act as the primary defense against hackers accessing our accounts and the data they contain. With all the information within just one account, we need to make sure we employ the strongest password. But this creates a dilemma — a strong password is hard to memorize, but an easy-to-memorize password is a weak one. Plus, you need a unique password for every account you use, which can easily reach into double-digit figures. This is where a password manager comes in.
A password manager is an app with a database containing your login information for all the various accounts you use. The database is typically encrypted with a master password to prevent unauthorized access. While this master password may be combined with other secret unique information to increase security, a user typically won't need to memorize anything more than the master password itself.
The master password is how one part of the great dilemma is solved. You only need to memorize one strong password for all your accounts. However, you don't reuse this password — instead, you allow the manager to create passwords for all your other accounts.
Once a master password is created, you add the login information for all your accounts into the database. At this point, you'll want to replace the password for each account with a stronger one. Using the "change password" function for each of your accounts, the password manager will create a new passcode. The manager will allow you to choose from various parameters such as whether to include uppercase or lowercase, special characters, and the overall length of the passcode to create a strong password that you will never have to memorize.
- Premium Price (Single-User): The price to unlock all features for a single user.
- Family Price: Value pricing for multiple accounts. All but LastPass provide five user accounts for the listed price, with LastPass including six users. Like the Premium Price, this will unlock all features.
- Free Version Available: Whether or not you can use this service for free.
- Total Devices on Free/Paid Tiers: If you use the cloud-based password database features available in some of these apps, this will come in handy. These two rows show you how many total devices you can sync your database to on both the free and paid tiers of the service.
- Local-Only Mode: This feature provides security in place of convenience. Instead of using the cloud to synchronize the database, your database resides only on your device. This provides more control as to who has access to it and who can view its contents, and it decreases the risks of being hacked.
- Cloud Sync: Your database is stored in the cloud making it accessible across multiple devices. Using the cloud, any modification made on one device will automatically update all the other devices with access.
- Audit Passwords: The manager reviews all login credentials and will recommend changes to passwords. For example, the manager will recommend changing if your password hasn't been modified in a while (typically three months), or if you use the same password for multiple accounts.
- Share Passwords: Users can extend access to passwords (whether individually or as a group) to other users. Some managers require that the users receiving access already have an account with the service.
- Emergency Access: In the case of the user's death or incapacitation, loved ones can be assigned access to the database. This way, the user's online accounts can be managed or deleted depending on the user's situation.
- Tech Support: The managers on our list provide support through either an online ticket system or email. Email is superior as it is more convenient to use and not susceptible to failure because a web page went down.
- Autofill (Pre-Oreo): For Android users not running the latest iteration of the OS, the password manager offers some method to automatically fill login information into apps. Autofill is typically accomplished using Accessibility (which operates similarly to Autofill API) or via a special keyboard (with a special button to autofill).
- Autofill API (Oreo+): One of the new features with Android 8.0 Oreo was the inclusion of an Autofill API. If an app has this feature, you can select its database in your phone's settings, then user names and passwords from your database will be automatically populated into apps and websites on your phone.
- Autofill in Browsers (Pie+): Starting with Android 9.0 Pie, the Autofill API mentioned above was expanded to include browsers. This means, if the password manager supports this API and you're using a phone on Pie or higher, you'll be able to auto-fill passwords from your database in browsers like Google Chrome without having to use a workaround like the Accessibility plugin that some apps have offered in the past.
- Encryption: The method used to ensure the security of the database. As of today, the highest standard available is AES-256 encryption. Encryption protects the database by making it virtually unreadable to unauthorized users.
- Authenticator App Support: The ability to use a code from an authenticator app to strengthen security of your password database. This code serves as an OTP (one-time password) that you enter in addition to your password to prove your identity. Some examples include Google Authenticator, Microsoft Authenticator, and Authy.
- Universal 2nd Factor: Also known as U2F, this is another way of providing multi-factor authentication. U2F is a set of hardware keys (typically USB) which you need to login to your database along with your password. Since you physically hold onto the hardware keys, many feel this provides the highest level of protection.
- Fingerprint Login: Using the fingerprint scanner on your device to access your database instead of having to input your master password. Fingerprint login provides convenience for users who repeatedly enter their database.
- Secure Cloud Storage: Encrypted cloud storage that comes with your subscription. LastPass and Keeper offer limited storage on their free tiers, while the other two password managers only include it with the premium plan.
- Bug Bounty Program: The security of a system is heavily dependent on its ability to work as intended all the time. However, even the most well-written code will have bugs and unforeseen errors. To combat this, companies offer a financial incentive to those outside the company to report these errors. Typically, higher rewards attract more white-hat hackers (hackers for the good guys) and higher skilled ones.
- White Paper Available: A technical report on how security and authentication are handled by the software. It provides necessary transparency and allows others to make suggestions to improve security for all.
Today's password managers can do more than just store your passwords. Many have been moved from local storage to cloud storage, which means a copy of your password database is available on all the devices you use and automatically syncs to ensure any modification is reflected on all systems. While not a requirement for our list, each of the managers chosen offers this feature.
Our first parameters revolved around security. We would only consider password managers that used the latest security tools available. Currently, that meant AES-256 (Advanced Encryption Standard with a 256-bit key), PBKDF2 SHA-256 (Password-Based Key Derivation Function 2 and Secure Hash Algorithm 2 with 256-bit digest), and salted hashes.
Another requirement was that all apps in this list had to use Android's new Autofill API. Found in Android 8.0 or higher, this feature lets you choose a system-wide password database that will be automatically populated into any login fields — including both apps and websites. To use it, you simply install one of these apps, set up your password database, then select it in your phone's settings.
Piggybacking on the last criteria, there should be some way to autofill passwords for all of the non-Android Oreo devices out there. Specifically, there should be a way to autofill passwords in apps, as most password managers can autofill within the browser (whether through a plugin or an integrated browser).
Emergency Access was another requirement, as it lets your loved ones access your account if you die or become incapacitated. With emergency access, your loved ones can close your accounts, access your finances, and take control of your online accounts when you are unable to do so. In that vein, you should also be able to share passwords.
Finally, we only selected apps that had well-designed interfaces and were easy to use, which eliminated apps such as KeePass. Users of all experience levels should easily be able to create a database, add logins, and autofill those logins. You shouldn't have to set up security tools or spend excessive time in the settings menu, and all of these apps meet that criteria.
Easily the most popular app on our list, LastPass has worked hard to offer an amazing array of features that are unmatched by any other password manager out there. Due to the abundance of features being offered at one of the lowest prices, we had to give it the top spot.
- Play Store Link: LastPass Password Manager (free)
LastPass was designed with cloud syncing in mind. The company intends for every user to have access to their database no matter what device they're using, with all their data perfectly in sync. This is exemplified by the fact that they are the only manager on our list to offer this feature for free. LastPass is available on all major operating systems and most major browser, allowing access to their synchronized database no matter what device you're using.
One of the more important aspects of any password manager is security. A great password manager must utilize the highest level of security available to ensure your database won't be compromised. LastPass follows this principle and utilizes AES-256 encryption to protect your database.
Since LastPass doesn't support a local-only database, your password database resides in the cloud (with a copy stored locally on your device). This requires authentication (to ensure only authorized users are connecting to the servers) and encryption during transport. LastPass accomplishes this using PBKDF2-SHA256 salted hashes. Once the user is authenticated, a decryption key unlocks the local copy of your vault. All communication between the server and the user is within an encrypted connection, adding extra layers to the security.
In addition to the above protection, LastPass forgoes any contact with your decryption key, preventing them from accessing your database remotely. While they do store your database, they can't read its contents, ensuring your privacy remains intact.
LastPass also supports authenticator apps like Authy or Google Authenticator, which provide an additional step to prove your identity. An even more secure version of this is Universal 2nd Factor (U2F), which houses a one-time password (OTP) within a USB stick, and it's also supported. The user must physically possess the USB stick in order to prove authentication, protecting against remote attacks.
LastPass also tries to improve its users' personal security by auditing passwords. Upon review, LastPass will suggest you make changes to passwords that are weaker or have been repeated. Premium plans have access to 1 GB of secure storage to hold your most precious data. LastPass also uses a bug bounty program, offering awards up to $5,000 for any vulnerabilities (or bugs) found within their software.
LastPass checks most boxes of essential features users want in a password manager, including no-workaround autofill for your apps on Oreo or higher, and autofill in browsers on Android Pie and up. With the exception of a local-only mode, users are provided everything else needed in a top-tier password manager.
Somehow, LastPass is able to offer this at $36 a year, which is one of the cheapest options on this list. Its family pricing is not only the lowest at $48 a year, but it also includes six accounts compared the competition's five. Even better, you can use most features for free! LastPass provides security, convenience, and privacy while remaining relatively inexpensive. And for these reasons, it is number one on our list.
Keeper is an excellent alternative to LastPass if you're looking for additional security. If you don't want to trust any company with your database, Keeper offers one of the few essential features not supported by LastPass — a local-only database. It does this while standing toe-to-toe with LastPass on most other fronts.
- Play Store Link: Keeper Password Manager (free)
Keeper offers both a free version and a premium version. Keeper's premium price (for one user) is the cheapest option on our list, while its family pricing is the most expensive. However, the free option is where it loses the most ground to LastPass.
In the free version, cloud syncing isn't available. Your database is stored and encrypted locally, and not located anywhere else. Therefore, you never have to worry about your vault traveling across the web — but the downside is you'll have to manually copy your database over to any other devices, while repeating changes manually on each device.
In addition, Keeper is a "zero knowledge" service, which means it doesn't know your master password, store any information, or have access to your decryption key. This means Keeper cannot access your database, protecting you from them and reducing the consequences if Keeper was to ever become compromised.
However, local-only does surrender the convenience of syncing your database across multiple devices and platforms. For users who care more about this convenience, they will need the premium version.
With the premium version (whether single or family), users have access to several features, including cloud sync and unlimited password storage. Users also gain access the ability to use the fingerprint scanner on their device to log into their database versus inputting the master password each time.
In addition to sharing passwords, Keeper's premium version also includes Emergency Access. This feature allows users to give up to five loved ones access to their account in case of an emergency (such as death). The emergency contacts will need to wait a specific time before accessing, but after that, they can manage your vault. Users can modify the list of loved ones at any time.
Keeper's premium plan offers the largest capacity of cloud storage at 10 GB, but you can only store up to six files on the free tier. Keeper also allows premium users to share passwords, with the only requirement being that the other party is also a Keeper user. The same security tools used to protect your vault when using sync features is used to share the password safely and securely.
Another thing to address is Keeper's bug bounty program. While they do have a partnership with BugCrowd that invites white-hat hackers to try and penetrate their security, the incentives are mere internet points instead of cash. Internet fame is obviously less of a motivating factor to find flaws than the actual money being offered by the other apps on this list.
Keeper is a great alternative to LastPass' free version. It allows users to have a local-only database, which is more secure than using cloud storage. For premium users, it offers many of the same features as LastPass (including two that LastPass doesn't have) with a price tag that's slightly lower. But while the single-user price is marginally lower, the family pricing is more costly for fewer users. However, because of its lengthy feature list and local-only free version, Keeper is highly deserving of its second-place finish on our list.
Dashlane's approach to the password manager centers on ease of use. It accomplishes this with a well-designed app and with a set unique security features.
- Play Store Link: Dashlane Password Manager (free)
First off, let me stress that Dashlane is well designed. Each menu option is clearly labeled, removing any guesswork to its function. The default page is Recent Items, providing quick access to the accounts you frequently use. The integrated browser provides autofill for webpages and accounts without apps, and this functionality is also available on Android Pie or higher with other browsers.
Dashlane also has a free version which removes cloud syncing (similar to Keeper), allowing for a local-only mode. Premium users can also turn off synchronization, which removes all copies of your database besides the local copy on your device. Therefore, premium users can choose how they wish to utilize Dashlane.
Dashlane supports autofill via Autofill API for Oreo users and via Accessibility plugins for older devices. However, one of the biggest features of Dashlane is Critical Account Protection.
Critical Account Protection reduces the difficulty of using a password manager. Dashlane will scan your email inbox and add all accounts associated with that email address. It audits each account's security and creates a report that displays information such as a timeline of when accounts were created, what type of accounts you have, and the risk level if a breach occurs. You are then given the ability to mitigate the risk by quickly changing passwords.
Overall, the main issue with Dashlane is its price tag. It supports many of the same key features that LastPass and Keeper offer, but it comes at a cost. It has the highest single-user price per year and doesn't offer family pricing. That means if a family wants to use Dashlane, each user must pay $39.99 a year. While not a bad option, LastPass and Keeper offer similar value for less.
While 1Password is last on our list, it does have advantages not found with the other managers. Specifically, 1Password's approach to security is greater the previous three options and highly recommend for those who want cloud synchronization in the most secure method possible.
- Play Store Link: 1Password (free)
1Password authenticates users using what known as a two-secret key derivation. Normally, managers use the master password to create a hash to authenticate users with their servers. A hash is a one-way function that alters data (in this case the master password) to a fixed size. The modification is usually irreversible (hence one-way) so hackers aren't able to derive the master password from the hash.
1Password goes a step further by introducing a second component. This component is known as the Secret Key, and it's also unique and only known by the user, improving the security of the hash. The Secret Key is a string of characters that is first generated by your device when you initially create an account. This key is stored locally and is inaccessible by 1Password. While you'll never need to memorize the key as the system automatically retrieves it, its uniqueness is what makes it secure and helps with authentication.
Because of this two-secret key derivation, 1Password believes it is unnecessary to support third-party authenticators or universal 2nd factor (U2F). While they do have a point, the idea of having something on you to assist with authentication does ease the fear of customers and provides them some level of control that's unavailable with a software-based solution.
1Password has by far the largest reward for its bug bounty program, offering payment up to $100,000 for potential vulnerabilities. Such a large amount will attractive higher skilled white hat hackers (good guy hackers) and lead to a more secure platform.
For years, 1Password offered local-only storage. However, as of two years ago, it has transitioned to a subscription model and stopped offering the ability to create new accounts for the standalone model. So while there is a free tier, there's no way to access it unless you already had a license.
Pricing is high, charging the second most for single user and family subscriptions (with the latter only 11 cents away from the most expensive listing). Also, it is the only one our list without a free version, but it does offer a free trial for 30 days. One final downside is a lack of support for autofill in browsers on Android Pie or higher.
Nonetheless, 1Password is a great option, especially for those not using multi-factor authentication that want the convenience of cloud database. However, its lack of a free version and high pricing forced us to place it on our list.
With the frequency of cyber attacks increasing, users need to fortify their online defenses. However, according to Splashdata, last year continued the trend of people using the passwords "123456" and "password" for many accounts. But as previously mentioned, it is difficult to memorize a unique and complex password, especially for the many accounts we have. The is is why in 2018, password managers are vital.
While password managers vary in functionality based on platform, for Android users, the best password manager available is LastPass. With its rich features, wide availability, and low pricing, users should look no further when it comes to storing their passwords. However, if you're looking for maximum privacy and want to store your database locally, then Keeper is your best option.
Are you using a password manager? If you aren't, why not? Let us know in the comments below. And for more information on how to keep your Android secure, check out our Android Security collection using the link below.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.